Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
09:05 AM
Gavin Millard
Gavin Millard
Partner Perspectives

Flash: Web Browser Plugins Are Vulnerable

Maybe it's time to uninstall Flash for those that don't need it and continuously monitor those that do.

Adobe Flash has been in the press a lot recently after zero day vulnerabilities were disclosed. Facebook's CISO is calling for an end of life date, and Brian Krebs, the well-known infosec journalist (along with many others), is calling for everyone to uninstall the software. Flash has had major vulnerabilities in the past; everyone is used to seeing the almost daily popup from Adobe requesting an install of the latest version, so why all the sudden momentum?

When the treasure trove of information from the Hacking Team breach was reviewed by eagle-eyed researchers, they discovered that the security company of choice for dictatorships had three previously undisclosed and unpatched vulnerabilities they’d be leveraging to infect targets. The vulnerabilities were bad; in fact the Hacking Team described one as, “the most beautiful Flash bug for the last four years.” The 400GB data dump also included handy, proof of concept code that was quickly rolled into the Angler and Neutrino exploit kits before Adobe even had a chance to release an updated version of Flash to fix the “beautiful bug.”

The first stage of an attack is often the initial foothold, getting a malicious virtual foot in the door. For a targeted attack, this foothold is frequently established by phishing or social engineering, persuading a hapless employee to give up credentials, click on a link, plug in a dodgy USB device, or download and run malicious code. If we look at the famous RSA breach of a few years ago, the initial intrusion was allegedly via an email containing a spreadsheet of salaries; the desire for employees to get a glimpse of their peers’ earnings was tempting enough for them to ignore all the training they’d had from the security team.

Manipulation of “Layer 8” insecurities is a frequently leveraged approach to breaking in, but why go to that effort when easily exploitable and unpatched browser or plugin vulnerabilities are running on millions of laptops? Cybercriminals will often take the easy path to infection, targeting the low hanging fruit with off-the-shelf malware, rather than create bespoke, complex and targeted code. We hear so much about Advanced Persistent Threats, but for the majority of users, intrusions are more likely to come from leveraging a known, and easily exploitable, vulnerability.

Uninstall Flash Unless It Is Required

If there are no fixes available or the patch rate is greater than a few days to deploy the ones that are, what can be done to protect users from this increasing threat vector? Uninstalling vulnerable software is a viable option, but many still require it for their day-to-day work to use business critical systems, and for playing browser games. Disabling Flash or “Click-to-Play” is another option, but users can easily be manipulated into running the Flash player. Anti-malware solutions offer some protection, but even if they are deployed and up to date, they are often behind the curve of detecting the latest obfuscation techniques utilized by the exploit kit authors. If you can’t prevent, you need to detect. 

Utilize Strong Detective Controls On Systems Where Flash Is Required

The ability to detect indicators of compromise --  unexpected autoruns, malicious known code missed by AV software, connections to Command and Control servers often utilized by attackers -- have increased by leaps and bounds in the last few years and should be considered in any defense in-depth strategy. Deploying robust detective controls utilizing these approaches alongside traditional preventive and corrective controls should help decrease the risk of unknown or unpatched client side vulnerabilities being used as the initial foothold many fear.

One major concern surrounding the use of detective controls is the false positive issue causing security analysts to drown under the weight of alerts from the different threat intelligence feeds and logs. This is where context is critical. One approach for focusing on the risky rather than the risk-free, is to identify systems that are using known browser plugins targeted by malware authors, or out of date browsers that are easily attacked, and then to leverage this context for elevating alerts of possible indicators of compromise on those affected systems.

Visibility is another concern. What about all those remote workers who are now a favored target because they are less protected than their counterparts in corporate headquarters? Agents installed on their devices can collect vulnerability information, software inventory, configuration issues and the indicators of compromise. Agents should always be considered in a rigorous detective control program, and the collected data should be sent back to corporate for correlation and prioritization.

Since Steve Jobs made the controversial decision to keep Flash off Apple’s shiny iOS devices, many mainstream websites have made the move to HTML5 or alternate technologies to support the millions of devoted fans of all things “i.” Maybe it’s time to uninstall Flash for those that don’t need it and continuously monitor for indicators of compromise for those that do.

Gavin Millard is a trained, ethical hacker who works with medium and large enterprises to address their cybersecurity challenges. With a deep understanding of how attackers plot a breach, he helps bring these companies to a trusted state of IT infrastructure. He previously ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/27/2015 | 9:46:30 AM
Funny how a website article about the vulnerability of Flash, wants you to run the add-on Adobe Flash Player from Adobe Systems Incorporated...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.